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Abstract.  A  new  model  for  representing  temporal  access  control  policies  is 
introduced.  In  this  model,  temporal  authorizations  are  represented  by  time 
attributes  associated  with  both  subjects  and  objects,  and  a  “time  interval  access 
graph.”  The  time  interval  access  graph  is  used  to  define  constraints  on  the 
temporal  relations  between  subjects  and  objects.  Interval  algebra  is  used  to 
define  and  analyze  the  time  interval  access  graph. 


1  Introduction 

In  many  commercial  and  military  environments,  time  is  often  a  critical  factor  for 
making  decisions  regarding  authorization  or  access  to  information.  The  value  or 
sensitivity  of  data  and  processes  has  become  more  dependent  upon  time  attributes. 
Thus,  future  information  systems  will  need  to  support  system-wide  security  policies 
that  incorporate  time  as  a  decision  factor.  To  this  end,  a  Time  Interval  Access  Control 
(TIAC)  model  has  been  developed. 

A  significant  contribution  of  the  TIAC  model  is  that  it  provides  formal  semantics 
to  express  temporal  authorization  policies,  in  which  temporal  attributes  of  subjects 
and  objects  are  used  to  determine  authorized  accesses.  The  TIAC  model  differs  from 
previously  proposed  models  such  as  the  Temporal  Authorization  Model  by  Bertino  et 
al.  [5,  6]  and  the  Temporal  Data  Authorization  Model  by  Gal  and  Atluri  [4,  7], 
primarily  in  its  ability  to  specify  temporal  relations  between  subjects  and  objects. 

Another  contribution  of  the  TIAC  model  is  that  it  is  the  first  use  of  interval  algebra 
[3]  to  express  a  temporal  access  control  policy.  This  algebra  provides  the  necessary 
expressive  power  to  logically  describe  a  temporal  access  control  policy,  and  a  precise 
and  efficient  way  to  computationally  reason  about  the  temporal  relation  between 
subjects  and  objects  and  associated  access  constraints.  Policy  enforcement 
mechanisms  and  the  modeling  of  the  effectiveness  of  those  mechanisms  with  respect 
to  the  type  of  temporal  authorizations  describable  in  TIAC  are  outside  of  the  scope  of 
this  paper  (see  [1]). 

A  brief  discussion  of  interval  algebra  is  presented  in  Section  2.  Section  3  provides 
a  description  of  the  TIAC  model,  where  we  establish  the  definition  of  time  intervals 
and  discuss  the  formal  semantics  used  for  representing  temporal  authorizations  and 
access  requests.  Einally,  future  work  and  conclusions  are  presented  in  Section  4. 
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2  Background 

Interval  algebra  [3]  provides  a  means  to  represent  time  intervals  associated  with 
actions  and  entities  and  to  computationally  reason  about  their  relationships.  It  defines 
the  possible  relations  that  can  hold  between  two  time  intervals  (see  Table  1).  These 
relations  are  mutually  exclusive,  in  that  only  one  is  needed  to  describe  the  relative 
temporal  placement  of  any  two  time  intervals.  Interval  algebra  assumes  that  the 
beginning  and  ending  points  (signified  with  and  “+”  respectively)  of  an  interval 
do  not  coincide.  For  each  entry  in  Table  1,  the  first  line  shows  the  basic  relation  and 
the  second  line  shows  its  inverse  relation. 


Table  1.  Basic  temporal  relationships 


Relation 

Predicate 

Form 

Symbol 

Relation  on 
Endpoints 

Pictorial  Meaning 

X  before  3? 

>’  after  x 

BEFOREfey) 

AFTERO.a:) 

< 

> 

(y+  <  y-) 

X  y 

X  equals  3? 

3’  equals  x 

EQUALS(x,r) 

EQUALS(y,A:) 

= 

(x-  =  y-)  A 
(x+  =  )>+) 

X 

3' 

X  meets  y 

3’  met  by  x 

MEETSfey) 

MET_BYO,a:) 

m 

mi 

x+  =  y— 

X  y 

X  overlaps  y 

3’  overlapped  by 

X 

OVERLAPS(A,y) 

OVERLAPPED_BY(y,A:) 

0 

oi 

(x-  <  y-  )  A 
(x+  >  y-)  A 
(x+  <  y+) 

^ ^ _ ► 

3’ 

X  during  y 
y  includes  x 

DUREMG(Y,y) 

emcludesCv.y) 

d 

di 

(x-  >y-)  A 
(x+  <  y+) 

X 

◄ - ► 

3- 

X  starts  y 
y  started  by  x 

STARTS(Y,y) 

STARTED_BY()>,y) 

s 

si 

(x-  =  }•-)  A 
(x+  <  y+) 

X 

3' 

X  finishes  y 
y  finished  by  x 

FINISHES(a:,y) 

FINISHED_BY()>,a:) 

f 

(x-  >  y-)  A 
(x+  =  y+) 

*  * 

y 

A  set  of  time  intervals  and  their  required  or  allowed  interrelationships  can  be 
represented  using  a  directed  graph  (also  known  as  an  interval  algebra  network,  or  lA 
network),  in  which  each  vertex  represents  an  individual  time  interval  and  each 
directed  edge  represents  the  relationship(s)  between  a  pair  of  vertices. 
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3  TIAC  Model 

The  TIAC  model  provides  a  formal  semantic  framework  to  extend  existing 
authorization  models  with  policies  (e.g.,  restrictions)  regarding  the  temporal 
relationships  between  subjects  (e.g.,  user),  objects  (e.g.,  data)  and  the  time  of  access. 

In  this  section,  a  discussion  of  time  and  intervals  provides  a  foundation  for  the 
TIAC  model.  Then  the  elements  that  make  up  the  TIAC  model  are  described.  These 
elements  are:  1)  temporal  entities,  2)  the  time  interval  access  graph,  3)  temporal 
authorizations,  4)  access  requests,  and  5)  the  evaluation  of  access  requests. 

3.1  Time  and  Intervals 

Time  is  assumed  to  be  a  set  of  discrete  points,  T,  which  is  isomorphic  to  the  natural 
numbers  and  is  linearly  ordered  with  respect  to  the  <  relation.  Points  in  T  are  used  in 
representing  time  intervals. 

Time  intervals  are  represented  using  half-open  intervals  denoted  as  r  =  [t-,  t+) 
where  t-  <  t+.  Half-open  intervals  are  used  so  that  there  are  no  semantic  ambiguities 
about  the  point  where  two  time  intervals  meet.  A  unit  time  interval  is  the  smallest 
expressible  interval.  It  has  a  duration  of  one  where  t+  =  t-  +  1 .  When  referring  to  the 
current  time  a  unit  time  interval  is  used.  For  discussion  purposes,  the  current  time  will 
be  referred  to  as  now.  r  where  now.T=  [now-,  now+). 

Time  intervals  are  associated  with  subjects  and  objects,  and  temporal  access 
control  policies  (restrictions  regarding  the  relationships  between  intervals)  are 
reasoned  about  using  interval  algebra. 

3.2  Temporal  Entities 

Temporal  entities  are  represented  using  the  concept  of  subjects  and  objects  similar  to 
those  discussed  by  Graham  et  ah,  Lampson,  and  Weissman  [8,  9,  10].  Subjects  and 
objects  each  have  an  associated  time  interval  (attribute),  which  is  used  for  making 
access  control  decisions. 

In  the  following  definitions,  S^={j7,  S2,...s„}  is  the  set  of  temporal  subjects,  and 
Ot:={oi,02,...o„}  is  the  set  of  temporal  objects  (i.e.,  the  passive  entities  that  hold  data 
or  information  and  are  accessed  by  temporal  subjects). 

Definition  1  (Temporal  Object,  Temporal  Subject).  A  temporal  entity  a  is  an 
object  o  €  Ot:,  or  a  subject  s  £  S^,  with  which  is  associated  a  time  interval  T=  [t-,  t+) 
where: 

(X  T  designates  the  time  interval  associated  with  a 

(Zt-  designates  the  time  point  at  the  beginning  of  interval  (X  T 

CXt-\-  designates  the  time  point  at  the  end  of  interval  (X  X 

The  time  interval  associated  with  a  subject  or  object  may  be  used  to  describe 
access  constraints  based  on  a  temporal  policy.  For  example,  a  time  interval  could  be 
used  to  represent  when  a  subject  is  valid  or  when  an  object  may  be  accessed.  Using 
interval  algebra,  it  is  possible  to  express  policies  regarding  the  temporal  relations 
between  a  subject,  an  object,  and  a  reference  time  interval  such  as  now.  X. 
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3.3  Time  Interval  Access  Graph  tp 

The  TIAC  model  introduces  the  time  interval  access  graph,  tp  is  a  consistent 
instantiation  of  a  three-vertex  lA  network  that  defines  access  constraints  on  the  temporal 
relations  between  subjects  and  objects,  and  a  reference  time  interval  (Tref)-  A  consistent 
version  of  any  three-node  access  graph  can  be  efficiently  determined  [1,  2,  3]. 

Definition  2  (Time  Interval  Access  Graph  tp).  The  time  interval  access  graph  ep  is  a 
consistent  instantiation  of  a  three-vertex  lA  network  G  =  (V,  E)  where: 

V  {S.T,  O.T,  Tref] 

E  {(^S.T,  O.T),  (^Tref,  S.T),  (yTref,  O.T)] 

R  {<,  >,  d,  di,  o,  oi,  m,  mi,  s,  si,  f,fi,  = }  U  0 

y:  E^^{R)  a  disjunctive  set  function  that  specifies  the  temporal 
relations  allowed  between  a  pair  of  vertices 

For  example,  ^  could  be  instantiated  with  the  following: 

S.T=  [5,  20),  0.T=  [10,  15),  and  [11,  12) 

y(s.T,  o.f)  =  [includes],  7(7^/,  s.f)=  [starts  v  during],  and  y{Tref,  o.f)  =  [during] 

3.4  Temporal  Authorizations 

Policies  often  distinguish  between  different  “modes”  in  which  a  subject  may  access 
an  object  (e.g.,  observe,  modify,  execute,  append).  A  temporal  authorization  Aj,  is  a 
mapping  of  a  subject-object  pair  to  a  set  of  mode-^  pairs,  which  completely  defines 
the  temporal  authorization  policy  for  the  subject  with  respect  to  that  object.  For 
simplicity  of  presentation,  it  is  assumed  herein  that  there  is  only  one  mode-^pair  per 
subject-object  pair. 

Definition  3  (Temporal  Authorization).  A  temporal  authorization  A^is  defined  as  a 
4-tuple  (s,  o,  m,  <p)  where: 

s  e  St,  temporal  subject 
o  E  Ot,  temporal  object 
m  cM  allowed  mode(s)  of  access 

cp  time  interval  access  graph  that  describes  the  temporal  restrictions 
on  the  use  of  o 

A  temporal  authorization  A^=  {s,  o,  m,  (p)  states  that  a  subject  s  is  allowed  m  access 
to  object  o  as  restricted  by  the  time  interval  access  graph  (p.  For  a  given  policy 
instantiation,  £2^  is  the  set  of  temporal  authorizations. 

3.5  Access  Requests 

A  temporal  subject,  to  gain  access  to  a  temporal  object,  initiates  an  access  request  for 
a  given  mode  of  access  to  occur  at  a  particular  time.  In  the  most  general  form, 
temporal  requests  would  specify  an  arbitrary  time  in  the  past,  present  and  future.  For 
simplicity  in  this  discussion,  requests  will  be  characterized  relative  to  now.  T .  There 
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are  two  types  of  access  requests:  general  access  requests  and  duration  access 
requests. 

Definition  4  (General  Access  Request).  A  general  access  request  Rg.^is  a  4-tuple  (s, 
o,  m,  now.  t)  where: 

s  e  St:  <2  temporal  subject 

o  €  Oj:  is  a  temporal  object 
mczM  isamode(s)ofaccess 
now.  T  is  the  time  of  access  request 

A  general  access  request  Rgfs,  o,  m,  now.  f)  states  that  a  subject  requests  m  access 
to  object  o  at  time  now.!.  Implicit  in  this  form  of  request  is  that  the  subject  would  be 
granted  access  for  the  maximum  duration  allowed  by  the  access  graph  tp  associated 
with  s  and  o  (if  any  exists). 

Definition  5  (Duration  Access  Request).  A  duration  access  request  Rjj;  is  a  5-tuple 
(s,  o,  m,  now.!,  d)  where: 

s  e  Sj:  is  a  temporal  subject 
o  €  Ot:  is  a  temporal  object 
m  <zM  is  the  mode(s)  of  access 
now.  X  is  the  time  of  the  access  request 
S  is  the  requested  duration  of  access 

A  duration  access  request  Rjfs,  o,  m,  now.X,  S)  states  that  a  subject  s  requests  m 
access  to  object  o  for  a  duration  S. 

3.6  Evaluation  of  Access  Requests 

An  access  request  is  evaluated  as  follows:  the  set  of  temporal  authorizations  is 
searched  for  a  matching  subject-object  pair.  If  no  match  is  found,  access  is  denied.  If 
a  match  is  found,  the  requested  mode  is  compared  to  the  allowed  mode,  and  then  the 
time  interval  access  graph  tp  is  interpreted  relative  to  the  requested  interval,  to  grant  or 
deny  access.  This  process  is  specified  in  the  boolean  functions  Eval_g  and  Eval_d. 

Eval_g(Rgf^s,  o,  m,  now.X))  ^  3  (s o '  m',  tp)  e  £2^(s  =  s'ao  =  o' Am  cz  m' a  (p  = 
true  when  evaluated  using  s.X,  o.X,  and  now.X) 

Eval_d(Riij{s,  o,  m,  now.X,  d))  ^3  (s',  o',  m',  cp)  b  Ot;(^  =  s'Ao  =  o'Am  czm' a  <p  = 
true  when  evaluated  using  s.X,  o.X,  and  now.X-\-S) 

Note:  now.X-\-S=  [now-,  now-  +  cp) 

4  Conclusion  and  Future  Research 

In  this  short  paper,  we  have  presented  the  TIAC  model  as  a  novel  way  to  specify 
temporal  access  control  policies.  This  model  is  able  to  formally  specify  temporal 
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constraints  on  time  attributes  associated  with  subjects  and  objects,  and  a  reference 
time  interval  such  as  time  of  access. 

Several  areas  related  to  TIAC  are  still  being  investigated.  We  are  considering  the 
formal  semantics  for  creating  and  deleting  temporal  authorizations  as  well  as  the 
policy  implications  of  the  tranquility  of  temporal  attributes  associated  with  subjects 
and  objects.  In  general,  a  set  of  mode-tp  pairs  can  be  associated  with  each  subject- 
object  pair  in  order  to  be  able  to  express  a  different  policy  for  each  mode  of  access, 
but  that  extension  to  the  TIAC  model  is  left  for  future  work. 

We  also  plan  to  generalize  this  model  so  that  it  could  specify  an  access  request  that 
uses  a  different  reference  time  interval  other  than  current  time,  which  would  allow  the 
model  to  check  for  previous,  current,  and  future  authorizations.  This  research  is  also 
being  extended  to  determine  a  set  of  useful  temporal  access  control  policies  that  can 
be  expressed  using  the  TIAC  model.  Finally,  we  are  considering  other  enhancements 
to  the  TIAC  model  that  involve  extending  the  TIAC  model  concept  to  support  the 
specification  of  event-based  security  policies. 
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